Russ Allbery [Fri, 1 Mar 2013 01:49:05 +0000 (17:49 -0800)]
Don't log the raw app token when it cannot be decoded
Stop logging the raw binary app token in mod_webauth when it cannot be
decoded. This was old debugging code left over from fixing a problem
in a much earlier version of WebAuth.
Russ Allbery [Fri, 1 Mar 2013 01:47:23 +0000 (17:47 -0800)]
Better mod_webauth logging when the app cookie has expired
Log a more informative message in mod_webauth when the user's app
cookie has expired instead of a generic parse error and downgrade it
to the info level from error.
Russ Allbery [Fri, 1 Mar 2013 01:47:00 +0000 (17:47 -0800)]
Ignore empty app cookies in mod_webauth
Ignore empty app cookies rather than logging an error saying they
cannot be parsed. These are created internally by mod_webauth to
remove expired cookies and may be seen by subqueries.
Russ Allbery [Thu, 28 Feb 2013 05:22:26 +0000 (21:22 -0800)]
Avoid calling malloc(0) in the xmalloc test
xmalloc(0) is valid and something that we'll test, but malloc(0)
isn't. When probing for malloc sizes, malloc at least one byte.
Caught by clang --analyze.
Russ Allbery [Thu, 28 Feb 2013 04:30:20 +0000 (20:30 -0800)]
Avoid possible NULL dereference when checking LoA
In the WebKDC login code, if the user information service call
failed but we have a minimum LoA from the request, we might
dereference a NULL pointer when determining the correct error
message if the existing authentication has too small of an LoA.
Caught by clang --analyze.
Russ Allbery [Thu, 28 Feb 2013 04:26:35 +0000 (20:26 -0800)]
Properly check the result when decoding Kerberos credentials
We were ignoring the result of the decoding and continuing on with
an all-zero credential struct. We would reject that later for other
reasons, but return the error right away.
Russ Allbery [Thu, 28 Feb 2013 04:03:22 +0000 (20:03 -0800)]
Allow webauth_factors_string to take a NULL argument
If a NULL struct is passed in, return NULL. This was used at one
place in lib/webkdc-login.c even though gcc was told that it was
impossible. Caught by clang --analyze.
Russ Allbery [Tue, 26 Feb 2013 18:51:33 +0000 (10:51 -0800)]
Add support for WEBAUTH_PERL_FLAGS while building
If this variable is set as a make variable, its contents will be
passed to the perl Build.PL invocation. This is primarily to
support Debian package builds, which need a way to pass additional
flags to the Perl module build.
Russ Allbery [Tue, 26 Feb 2013 04:44:35 +0000 (20:44 -0800)]
Fix obscure time bug in the Perl token-decode test
Similar to an earlier bug in token-encode, when checking raw encoding, we
build the encoding we expect using pack, but the old version of the test
doesn't allow for the possibility that the encoded time will happen to
contain the byte for an ASCII semicolon. Add a function to wrap pack and
double the semicolon in that case.
Russ Allbery [Thu, 21 Feb 2013 02:13:43 +0000 (18:13 -0800)]
Fix handling of equal authorization and authentication ids
If the user asserts an authorization identity equal to their
authentication identity, discard the authorization identity in the
WebKDC login process and continue as if they did not choose an
authorization identity. This fixes a previously fatal error when the
user selects their default identity in WebLogin (if, for example, they
are trying to undo a previous choice of authorization identity).
Thanks to Benjamin Coddington for the report.
Russ Allbery [Fri, 8 Feb 2013 00:38:01 +0000 (16:38 -0800)]
Add the URL to the user information service specification
This was missed in the install-multifactor setup documentation when
we added this for user restriction support. Document that the url
parameter comes before the factors parameter, and that we will send
the empty string if we have factors and no URL.
Russ Allbery [Thu, 7 Feb 2013 00:52:38 +0000 (16:52 -0800)]
Remove limit on multivalued attributes in mod_webauthldap
Remove an arbitrary limit in mod_webauthldap on the number of values
from a multivalued LDAP attribute that are put in the environment.
Previous versions would only add the first 127 values, but there are
some cases where one may want to see more values than that. This
opens the possibility of overflowing the allowed size of the
environment, but the maximum environment size is quite large on most
modern operating systems.
Russ Allbery [Wed, 6 Feb 2013 00:30:09 +0000 (16:30 -0800)]
Update Perl coding style in utility scripts
Always cuddle else. Use a standard preamble for most scripts.
Adjust for requiring regex metacharacters to be escaped with
character classes again. Redo how checked print and say are
handled and be more consistent about always passing the file
handle. Add parens around built-in arguments (ick) in most cases.
Clean up a few other minor things I noticed while going through
the scripts.
Russ Allbery [Wed, 6 Feb 2013 00:29:00 +0000 (16:29 -0800)]
Update Perl coding style configuration
Following an IDG meeting about Perl coding style, update the style
configuration for the result of that meeting. Reintroduce the test
for escaped metacharacters (I'll override with no critic where needed),
allow parens around arguments to built-ins, and don't force blank
lines before comments since we're now always cuddling else.
Russ Allbery [Wed, 6 Feb 2013 00:27:52 +0000 (16:27 -0800)]
Fix obscure bug in the Perl token-encode test
When checking raw encoding, we build the encoding we expect using
pack, but the old version of the test doesn't allow for the
possibility that the encoded time will happen to contain the byte
for an ASCII semicolon. Add a function to wrap pack and double
the semicolon in that case.
(This actually randomly happened in one Debian package build.)
Russ Allbery [Tue, 5 Feb 2013 01:02:39 +0000 (17:02 -0800)]
Add protocol updates for persistent factors
Update the protocol specification to add factor tokens to the
<requestTokenRequest> and <requestTokenResponse> APIs and to define
a new webkdc-factor token type. Add the cookie naming used to store
those tokens in the browser. Update the user information service
API to pass already-established factors to the webkdc-userinfo
request and to allow the webkdc-validate response to set persistent
factors.
Russ Allbery [Fri, 1 Feb 2013 08:14:12 +0000 (00:14 -0800)]
Fix Perl builds when builddir != srcdir
Fix out-of-tree builds with --enable-webkdc. Some of the logic to
ensure the Perl modules could build when the build directory was not
the source directory had not been tested for a while.
Not all the right directories were being created to copy over the
Perl source files, and the Perl build didn't have all the right -I
flags to pick up the portable/* header files.
Also simplify make distclean when builddir != srcdir to not bother
trying to remove the perl subdirectories. make distclean in this
situation rarely tries hard to remove directories.
Russ Allbery [Fri, 1 Feb 2013 08:07:22 +0000 (00:07 -0800)]
Ignore a subdirectory builddir in Perl tests
Give the Perl tests even more intelligence about directory manipulation
so that they can detect the case where the build directory is a
subdirectory of the source directory and where the path to the source
directory is given as .. instead of a full path. In that case, don't
try to check syntax or coding style of files in the build directory.
Russ Allbery [Fri, 1 Feb 2013 01:53:27 +0000 (17:53 -0800)]
Hide "Copyright" in clean-apache-manual from build-license
Having a copyright line in the regex data for clean-apache-manual
was confusing the script I use to generate the LICENSE file. Work
around that with a trivial character class.
Russ Allbery [Wed, 30 Jan 2013 01:03:44 +0000 (17:03 -0800)]
Document theming WebLogin via environment variables
Add documentation to install-webkdc explaining how to point WebLogin
at multiple configurations while using the same code by setting an
environment variable inside Apache. (Doesn't work with FastCGI,
sadly.)
Document the environment variable for the configuration file path in
weblogin-config.
Russ Allbery [Tue, 29 Jan 2013 22:56:38 +0000 (14:56 -0800)]
Switch Perl build process to Module::Build
WebLogin and the WebAuth Perl bindings are now built with
Module::Build instead of ExtUtils::MakeMaker. This should be
transparent to anyone not working with the source code, but
Module::Build and ExtUtils::CBuilder are now required to build the
WebLogin code. They are included in Perl 5.10 or later and can be
installed separately for older versions of Perl.
Process all of the Apache module manuals with clean-apache-manual
to remove Apache-specific bits and an incorrect copyright and
license statement. Add sidebar links to the non-directive sections.
Russ Allbery [Wed, 16 Jan 2013 23:43:26 +0000 (15:43 -0800)]
Add a new script to clean up generated module manuals
The XML format for documenting Apache modules, and the corresponding
build system to generate formatted HTML, is quite useful even outside
of Apache for documenting external modules. However, the output of
the Apache documentation build system includes some Apache-specific
content, such as a comments section that only works on the Apache site
and a license (Apache 2.0) that may not be appropriate.
This script is used to post-process the formatted documentation for
the WebAuth Apache modules to remove those elements. It should work
(but has not been tested with) Apache module documentation for other
third-party modules.
Russ Allbery [Wed, 16 Jan 2013 21:19:34 +0000 (13:19 -0800)]
Use a persistant CGI::Application object in WebLogin
When run under FastCGI, the WebLogin scripts now use a persistent
CGI::Application object instead of recreating it for each query. This
avoids reinitializing the Template Toolkit and reopening memcached
connections for each query.
Russ Allbery [Mon, 14 Jan 2013 20:53:54 +0000 (12:53 -0800)]
Add support for a WebLogin authenticate callback
Add a new authenticate callback to the WebLogin configuration. If
this function is present in webkdc.conf, it will be called for every
user visit to WebLogin and may return the user's authentication
information or an empty list to defer to normal handling. This can be
used to extract authentication information from the full WebLogin
environment; for example, it could map information about a successful
client-side certificate authentication to an authentication identity.
Russ Allbery [Thu, 20 Dec 2012 03:24:40 +0000 (19:24 -0800)]
Make perl/strict test only run in maintainer mode
Random scripts in the source directory may require optional Perl
modules be installed or have other dependencies that can't be
satisfied by every user. Also, otherwise we have to find a way
to add the path to the Perl modules we just built, and do something
else when built without the WebKDC.
Russ Allbery [Thu, 20 Dec 2012 00:08:41 +0000 (16:08 -0800)]
Document that Perl critic configuration comes from rra-c-util
Add a header to the perlcriticrc and perltidyrc configuration files
stating their origin, and add a license statement to perlcriticrc,
which is large enough to require it.
Russ Allbery [Wed, 19 Dec 2012 23:54:45 +0000 (15:54 -0800)]
Update to rra-c-util 4.7
* Fix probing for Heimdal's libroken to work with older versions.
* Checked asprintf variants are now void functions and cannot fail.
* Include a replacement strndup for systems that don't have it.
Russ Allbery [Tue, 18 Dec 2012 00:29:54 +0000 (16:29 -0800)]
Document authz identity interaction with proxy tokens and auth type
Document that authorization identities are ignored when using a
subject auth type of krb5, and that id and cred tokens obtained
from proxy tokens will not include the authorization identity.
Also document that delegated credentials will always be for the
authentication identity.
Russ Allbery [Tue, 18 Dec 2012 00:27:40 +0000 (16:27 -0800)]
Ignore authorization identity for krb5 subject auth type
Setting the subject auth type to krb5 indicates that mod_webauth
should independently verify the identity of the user. Since the
authorization identity cannot be independently verified, it will
be ignored in this case.
Russ Allbery [Fri, 14 Dec 2012 18:16:00 +0000 (10:16 -0800)]
Simplify Heimdal code for decoding flag bits
The logic that I originally copied from the Heimdal source was
excessively complex because it was manipulating a flag value that
was in network byte order rather than host byte order. Our attribute
decoder guarantees that everything will be in host byte order before
we see it, so we don't have to manipulate the mask based on local
byte order.
Russ Allbery [Fri, 14 Dec 2012 08:06:19 +0000 (00:06 -0800)]
Probe for Kerberos headers using file existence in some cases
Probe for Kerberos headers using file existence checks instead of the
compiler if a Kerberos root or include path was given. Otherwise, the
compiler may find the wrong header in the system default include path and
incorrectly assume krb5.h should be used instead of krb5/krb5.h.
Russ Allbery [Fri, 14 Dec 2012 08:04:31 +0000 (00:04 -0800)]
Fix encoding and decoding of ticket flags with Heimdal
Fix encoding of ticket flags with Heimdal Kerberos and tolerate the
old, incorrect encoding. All previous versions of WebAuth, when built
with Heimdal, encoded the ticket flags on the wire with the flag bits
reversed (matching the in-memory Heimdal format). Prior to this
version, flags would be lost when reading credentials encoded via MIT
Kerberos with Heimdal or vice versa. As of this release, the portable
flag encoding used for ticket caches is used when writing credentials
with both MIT and Heimdal, and the flag order is detected when
decoding credentials and fixed if necessary. If you use delegated
credentials and link with Heimdal Kerberos, upgrade mod_webauth prior
to upgrading the WebKDC to ensure the ticket flags are conveyed
correctly.
Russ Allbery [Fri, 14 Dec 2012 07:59:53 +0000 (23:59 -0800)]
Fix the Kerberos test suite to build with Heimdal
Various problems on Heimdal crept in. Also add two more credentials
to test with: an Active Directory ticket encoded with Heimdal and a
ticket encoded with the old method of encoding the flags. Fixes to
the flag encoding are coming in the next commit.
Russ Allbery [Fri, 14 Dec 2012 05:19:30 +0000 (21:19 -0800)]
Note Perl 5.8.0 requirement for some modules
Apparently use base qw(Exporter) requires Perl 5.8.0. Mark the
two modules that use Exporter accordingly, and update the version
requirement in README.
Russ Allbery [Fri, 14 Dec 2012 01:14:23 +0000 (17:14 -0800)]
Add test suite for decoding existing Kerberos credentials
Take apart some encoded Kerberos credentials included in the package
test data and ensure that the results match what we expect. Checking
of addresses is not yet implemented.
Also add a Perl script, make-krb5-cred, which will generate Kerberos
credentials from a ticket cache.
Russ Allbery [Fri, 14 Dec 2012 01:13:23 +0000 (17:13 -0800)]
Fix encoding of Kerberos credentials with addresses or authdata
Fix encoding of Kerberos credentials containing addresses or authdata
when built against MIT Kerberos. WebAuth 4.3.0 and later would fail
to encode those credentials properly. This bug only affects people
using credential delegation with either Active Directory or with
Kerberos configured to add addresses to tickets, which are relatively
rare configurations.
Russ Allbery [Thu, 13 Dec 2012 00:00:10 +0000 (16:00 -0800)]
Use a different layout for Perl function comments
The template suggested by Perl Best Practices is both large and
kind of cluttered. Use something that's closer to free-form text
but that breaks out the parameters separately.
Russ Allbery [Wed, 12 Dec 2012 22:58:42 +0000 (14:58 -0800)]
Fix several WebLogin syntax errors
The most recent set of changes to WebLogin introduced several
syntax errors and coding problems. Clean those up. (I should
have run the test suite like I claimed to have done.)
Russ Allbery [Wed, 12 Dec 2012 01:37:59 +0000 (17:37 -0800)]
Use local to localize KRB5CCNAME change in WebLogin
When doing the query for password expiration times, we need to
temporarily change the value of KRB5CCNAME. Do this with local
so that we don't have to remember the other value and restore it.
Russ Allbery [Wed, 12 Dec 2012 00:41:48 +0000 (16:41 -0800)]
Remove erroneous statement about realm canonicalization
The realms listed in mod_webkdc directives should just be normal
realm names. They don't have to be escaped; mod_webkdc no longer
compares escaped forms.
Russ Allbery [Wed, 12 Dec 2012 00:01:36 +0000 (16:01 -0800)]
Add new WebLogin error template parameters for new errors
Move the error message for replayed authentications and accounts
locked out due to too many failed login attempts into the error
template and out of the WebLogin Perl module. This will make
site-specific content and localization easier to do.